BA balks as ICO proposes record £183m GDPR fine

British Airways has hit back at the proposed record £183.39 million GDPR fine - announced this morning by the Information Commissioner’s Office - saying it is "surprised and disappointed" by the ruling, and insisting it "responded quickly to a criminal act to steal customers’ data".The so-called "notice of intent of regulatory action" follows an extensive investigation by the ICO and relates to a cyber incident which BA reported to the regulator in September 2018.

The ICO found that the incident was sparked when hackers diverted user traffic from the British Airways to a fraudulent site. Through this false site, customer details were harvested by the attackers. The personal data of approximately 500,000 customers was compromised in the attack, which is believed to have begun in June 2018.

The investigation found that a variety of information was compromised by poor security arrangements at the company, including log in, and travel booking details as well name and address information. Details of payment cards, including the number, expiry date and three-digit security code or “card verification value” (CVV) were also stolen.

Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.

”British Airways has co-operated with the ICO investigation and has made improvements to its security arrangements since these events came to light. The company will now have opportunity to make representations to the ICO as to the proposed findings and sanction.

The ICO said it will "consider carefully" the representations made by the company and the other concerned data protection authorities before it takes its final decision.

However, BA chairman and chief executive Alex Cruz insisted that there was no evidence of any fraudulent activity on accounts linked to the theft.

He added: “We are surprised and disappointed in this initial finding from the ICO. British Airways responded quickly to a criminal act to steal customers’ data.”

Willie Walsh, chairman of BA parent company the International Airlines Group, commented: “British Airways will be making representations to the ICO in relation to the proposed fine. We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”

While the £183.39 million fine is the highest issued so far across Europe for a breach of GDPR, it represents 1.5% of BA’s £12.2 billion annual worldwide revenues. The maximum penalty under the regulation is 4% of global sales, meaning the fine could have been as high as £488 million.

Did you find this content useful?

Thank you for your input

Thank you for your feedback

Next read

Talk of contact tracing apps to tackle COVID-19 serves to highlight the difficult balance between using data to personalise services and robust data protection. Whether your organisation is involved in building these solutions or not, Craig Suckling of IAG Loyalty suggests there are four principles to keep you on the right side of your customers.

You may also be interested in

Fraud costs the government an estimated £31 billion to £49 billion a year. To tackle thist, reforms to the government’s anti-fraud efforts are vital. Satrajit "Satty" Saha of TransUnion in the UK explains how commercial data organisations can play their part.

In this edition, Cathy Pendleton, senior data governance manager at Compare the Market, talks to DataIQ about how to make the protection of data an enabler of new business processes and why this is proving to be an attractive new career option in the industry. Plus diversity at Hastings Direct and KPMG.

Leyre Murillo-Villar is chief data officer and data control lead at BNP Paribas. She is also a member of the Women in Data 20 in Data and Tech list. She told DataIQ about the need to close the gender gap and how data is at the heart of managing risk.